VoIP Mailing List Archives :: View topic - [asterisk-users] Attack on Sip server.

Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community

[asterisk-users] Attack on Sip server.

Goto page Previous 1, 2

VoIP Mailing List Archives Forum Index -> Asterisk Users

View previous topic :: View next topic

Author

Message

anuragrana31189 at gma...
Guest

Posted: Fri Jun 27, 2014 12:15 pm Post subject: [asterisk-users] Attack on Sip server.

Can't use anything which block IP addresses because my system is behind a gateway and attacker gets the address of that gateway. In this way I will end up blocking myself.Â

Please suggest something else.

On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:

Quote:

Right Mitul. System is behind some gateway.

On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mitul@enterux.in (mitul@enterux.in)> wrote:

Quote:

I think your asterisk server is behind firewall or some sort of NAT where the out to in packets are getting masqueraded with local or DMZÂ IP of your firewall / gateway box.
Fix this first to get fail2ban detect the correct public IP.
Otherwise fail2ban will ban your local GW IP due to which you won't be able to access the box even from your local network for ssh.
Hope u know how to fix the firewall snat.Â
Mitul On 27-Jun-2014 9:51 PM, "Jai Rangi" <jprangi@didforsale.com (jprangi@didforsale.com)> wrote:

Quote:

Anurag,

Here is small script, that will check your logs and will block the IPs.

http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack

This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP.

Jai Rangi

www.didforslae.com

On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:

Quote:

Hi All.

Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.Â
I used wireshark to capture the packets.

Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.

I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.Â

Quote:

iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP

â€‹Its something like this

Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Passwordâ€‹

â€‹and there are approx 10 request per minute of this type.

Please suggest some way to stop this.â€‹

--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
Â Â Â Â Â Â Â Â http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
Â Â http://lists.digium.com/mailman/listinfo/asterisk-users

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
Â Â Â Â Â Â Â Â http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
Â Â http://lists.digium.com/mailman/listinfo/asterisk-users

--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.

mitul at enterux.in
Guest

Posted: Fri Jun 27, 2014 12:35 pm Post subject: [asterisk-users] Attack on Sip server.

No way out. Fix ur gateway which is masquerading out to in traffic.
And do some research as others mentioned instead of expecting quick fix.
Mitul On 27-Jun-2014 10:45 PM, "Anurag Rana" <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:

Quote:

Right Mitul. System is behind some gateway.

On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mitul@enterux.in (mitul@enterux.in)> wrote:

Quote:

iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP

--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.

--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
Â Â Â Â Â Â Â Â http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
Â Â http://lists.digium.com/mailman/listinfo/asterisk-users

anuragrana31189 at gma...
Guest

Posted: Fri Jun 27, 2014 12:44 pm Post subject: [asterisk-users] Attack on Sip server.

Ok. Thanks. Smile

On Fri, Jun 27, 2014 at 11:05 PM, Mitul Limbani <mitul@enterux.in (mitul@enterux.in)> wrote:

Quote:

Right Mitul. System is behind some gateway.

On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mitul@enterux.in (mitul@enterux.in)> wrote:

Quote:

iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP

--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.

asterisk.org at sedwar...
Guest

Posted: Fri Jun 27, 2014 1:22 pm Post subject: [asterisk-users] Attack on Sip server.

Please don't top-post.

Please trim posts to the specific post you are replying to.

On Fri, 27 Jun 2014, Anurag Rana wrote:

Quote:

Can't use anything which block IP addresses because my system is behind
a gateway and attacker gets the address of that gateway. In this way I
will end up blocking myself.

Please suggest something else.

The most effective approach would be to configure your gateway to block
all IP addresses and white-list the ones you really need.

If you are in control of the endpoints, moving to a non-standard SIP port
as previously suggested should be pretty effective. Most script-kiddies
won't bother to 'port-scan' to identify the new port number.

--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards sedwards@sedwards.com Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

mdupuis at ocg.ca
Guest

Posted: Sun Jun 29, 2014 9:16 am Post subject: [asterisk-users] Attack on Sip server.

If you have a small Asterisk installation install the free version of SecAst:

[url=http://www.voip-info.org/wiki/view/SecAst+(Asterisk+Intrusion+Detection+and+Prevention)]http://www.voip-info.org/wiki/view/SecAst+(Asterisk+Intrusion+Detection+and+Prevention)[/url]

For general Asterisk security info check this out:

http://www.voip-info.org/wiki/view/Asterisk+security

-=Michelle=-

All opinions posted are my own, and do not necessarily reflect those of my employer. As an employee of GenerationD my opions are serious biased Smile

From: asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of Anurag Rana <anuragrana31189@gmail.com>
Sent: Friday, June 27, 2014 10:49 AM
To: Prakash N
Cc: Asterisk Users List
Subject: Re: [asterisk-users] Attack on Sip server.

I added bot rules TCP as well as UDP. Still not working.

How changing SIP listen port will prevent it. Please explain.

I will try fail2band.

On Fri, Jun 27, 2014 at 8:16 PM, Prakash N <prakash.n@tevatel.com (prakash.n@tevatel.com)> wrote:

Quote:

Hi,

Install fail2band and change sip listen port to avoid attack

With regards

N.Prakash

From: Anurag Rana (anuragrana31189@gmail.com)
Sent: ‎27-‎06-‎2014 08:07 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion (asterisk-users@lists.digium.com)
Subject: [asterisk-users] Attack on Sip server.

Hi All.

Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.
I used wireshark to capture the packets.

Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.

I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.

Quote:

iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP

Its something like this

Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password

and there are approx 10 request per minute of this type.

Please suggest some way to stop this.

--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.

--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.

andres at telesip.net
Guest

Posted: Sun Jun 29, 2014 7:09 pm Post subject: [asterisk-users] Attack on Sip server.

Quote:

iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP

In my experience you need to do 2 things to fix your problem.

#1) Get the real IP address of the attacker.
First you will need to recompile Asterisk to enable the log that shows the IP of the attacker. It apparently is only set for debug so you need to edit chan_sip.c

In chan_sip.c

if (!peer) {
if (debug) *** <--- delete this line
ast_verbose("No matching peer for '%s' from '%s'\n",
of, ast_sockaddr_stringify(&p->recv));
} *** <--- delete this line

This will enable logs like:
VERBOSE[24693] chan_sip.c: No matching peer for '1000' from '104.14.190.14:5080

#2) Now that you have the IP of the attacker, just use fail2ban to block him automatically. Make sure you test out your rules. For example the above log is detected with fail2ban rule:
VERBOSE%(__pid_re)s [^:]+: No matching peer for '[^']*' from '<HOST>(:[0-9]+)?'$

Quote:

--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.

--
Technical Support
http://www.cellroute.net

asterisk at a-domani.nl
Guest

Posted: Tue Jul 01, 2014 4:53 pm Post subject: [asterisk-users] Attack on Sip server.

On Fri, 2014-06-27 at 22:24 +0530, Anurag Rana wrote:

Quote:

iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP

You make a fundamental mistake here.
Firewalls (both inline and hostbased) should drop everything by default.
And you should specifically accept what you are expecting and capable of
handling. Not the other way round.

Above rule is something like:
The front door is locked between 9:30 AM and 10:15 AM, as you expect
burgers to come to your house.

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

Display posts from previous:

	VoIP Mailing List Archives Forum Index -> Asterisk Users	All times are GMT - 5 Hours Goto page Previous 1, 2
Page 2 of 2

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum